Created
June 17, 2023 07:46
-
-
Save kerus1024/6a631b36d1db8b190d5c1ea11bb366f2 to your computer and use it in GitHub Desktop.
Bind SSH port with HTTPS SNI Routing using HAProxy
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| global | |
| log /dev/log local0 | |
| log /dev/log local1 notice | |
| chroot /var/lib/haproxy | |
| stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd list eners | |
| stats timeout 30s | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # Default SSL material locations | |
| ca-base /etc/ssl/certs | |
| crt-base /etc/ssl/private | |
| # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0 .3&config=intermediate | |
| ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128- GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA -CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA -AES256-GCM-SHA384 | |
| ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA 384:TLS_CHACHA20_POLY1305_SHA256 | |
| ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets | |
| frontend https | |
| bind *:443 | |
| mode tcp | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req.ssl_hello_type 1 } | |
| tcp-request content accept if { req.len 0 } | |
| acl sni_sslvpn req.ssl_sni -i "softether-sslvpn.kerus.net" | |
| acl sni_sslvpn req.ssl_sni -i "softether-sslvpn.kerus.net/tcp" | |
| acl sni_http1 req.ssl_sni -i "plex.kerus.net" | |
| acl sni_http1 req.ssl_sni -m end .plex.direct | |
| acl sni_http2 req.ssl_sni -i "blog.kerus.net" | |
| # SSH | |
| acl client_attempts_ssh payload(0,7) -m bin 5353482d322e30 | |
| use_backend sslvpn if sni_sslvpn | |
| use_backend nginxh1 if sni_http1 | |
| use_backend ssh if client_attempts_ssh | |
| use_backend ssh if !{ req.ssl_hello_type 1 } { req.len 0 } | |
| default_backend nginxh2 | |
| backend sslvpn | |
| mode tcp | |
| server sslvpn 192.168.10.3:443 send-proxy | |
| backend nginxh1 | |
| mode tcp | |
| server nginx-h1 127.0.0.1:8081 send-proxy check | |
| timeout client 0 | |
| timeout server 0 | |
| timeout connect 0 | |
| backend nginxh2 | |
| mode tcp | |
| server nginx-h2 127.0.0.1:8082 send-proxy check | |
| timeout client 0 | |
| timeout server 0 | |
| timeout connect 0 | |
| backend ssh | |
| mode tcp | |
| server SSHPVE 127.0.0.1:22 send-proxy check | |
| defaults | |
| log global | |
| mode tcp | |
| option httplog | |
| option dontlognull | |
| retries 3 | |
| timeout client 0 | |
| timeout server 0 | |
| timeout connect 10s | |
| errorfile 400 /etc/haproxy/errors/400.http | |
| errorfile 403 /etc/haproxy/errors/403.http | |
| errorfile 408 /etc/haproxy/errors/408.http | |
| errorfile 500 /etc/haproxy/errors/500.http | |
| errorfile 502 /etc/haproxy/errors/502.http | |
| errorfile 503 /etc/haproxy/errors/503.http | |
| errorfile 504 /etc/haproxy/errors/504.http | |
| maxconn 3000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See also: https://github.com/path-network/go-mmproxy